Kevin Lister has a fun post over on the SANS diary where he presents tables on common web attacks and countermeasures. (Warning: I’m feeling contrarian today…)

[Aside: Some of my trivial annoyances with this article echo my similar annoyances surrounding yesterday’s announced IE CSS 0day (advisory link, krebs link, eeye link). There is a huge difference between initial attack (the 0day) and the payload…even when they’re tied together into one package or chained exploit.]

The unfortunate part of any discussion like this is defining the context/scope. In this case, I would break down context into 4 distinct options:

• non-technical home user / micro network
• technically-sound home user / micro network
• small business (~10 to a few hundred people)
• medium to large enterprise

Why the difference? Because how one approaches web security should differ depending on your context. Articles like this probably should define a scope first.

In addition, one should define the scope of the defense. Are you trying to protect against the initial attack itself, the resultant payload, or both?

While Kevin has a lot of “Free” items, none of these approaches are “free” in small and larger businesses. Even a “Low” in the tinker field means man-hours in research and support.

I have a few misc points to make as well. For home users they can also take “alternative browser” one step further by using an alternative OS. There is no mention of host firewalls, sandboxing, or virtualization (i.e. sacrificial host). I personally think the alternative OS option should have something more significant than a “-” effect. An attack against IE will fail against Firefox, and vice-versa. So we’re back into a, “it depends” mode. I also feel that the “noscript” category, based on these tables, is woefully under-valued if someone just glances at this data. I think it’s worth more than what is reflected.

I’d also note that there are three fuzzy classes of protections that probably should be treated separately.

• Those that require someone to make an update (signatures, opendns, ips, whitelists…)
• Those that stop a certain behavior from occuring (lower admin rights, noscript, dep…)
• Those that avoid the issues entirely (alternative whatevers…)

(I’d post comments, but posting on sans has been problematic at best for me…when I even remember my password there.)

Via the infosecnews mailing list I perused a cyber security article in the New Yorker. I wanted to draw attention to two and a half points.

First, I liked the discussion on the difference between “cyber espionage” and “cyber war.” That’s basically been my view of things, and how so many of the threats and “attacks” we’re seeing today are not new…it’s just traditional espionage moving further into the cyber plane. That’s it.

Second, it takes a few pages to sink into the topic of the desire of the NSA to peek into encrypted communication and how that compares to those groups and the public who strive to encrypt everything. This is a complicated picture. For instance, a private company is smaller scale of the same government/citizen issue. If the security teams can’t see into the traffic generated in the company, they also will lose quite a bit of intelligence in their operations. If an employee can set up an encrypted tunnel out port 80, this is still not something easily found and/or blocked my many enterprises. And it certainly is a problem to see what is being sent over that tunnel.

Lastly, I made note of the mention about how the NSA also wants to know the identity of people in these communications. A wholly new topic, really. At least this is far more trackable in an organization, than in a public nation.

By the way, read to the end for the payoff on the EP-3A recon aircraft that helps open the story.

Bejtlich posted, “What Do You Investigate First?” He brings up the question of three different approaches:

• focus on the threats
• focus on the assets
• focus on the vulnerabilties

These are great bullet points for a blog post (or hell, probably a small book) on how these approaches can be tackled, including perspectives from prevention, detection, response. And how these may compare to the “reality” many orgs face in responding to only the things that people will raise fire alarms about if they’re not available or what you might get in the most trouble for not responding to…

I was going to flesh this out as a full future post, but decided already that I don’t have the time, yet didn’t want to lose the beginning of my thoughts…

Wanted to link really quickly to a recent example of the problems we face in security, even amongst ourselves. EvilGrade 2.0 was recently released, and the full-disclosure announcement sparked some…discussion. As background, EvilGrade is software that assists an attacker in hijacking the upgrade process of a piece of software and sending its own executable in place of a real upgrade executable, thus having it automatically executed by the software.
The subsequent discussion brings up the points of (I’m just informally summarizing here):

• Hijacking upgrade mechanisms is a vulnerability (or weakness).
• This vuln is not necessarily easy to leverage by an attacker. Has limited (but useful!) applicability. (local network access; targeted; etc)
• There is an opportunity cost to addressing this issue. (Time spent fixing small issue = time not spent elsewhere.
• The issue may be easily fixed with certificate signing. (Everything is always ‘easy’ to someone…)
• Certificate-signing also has its own weaknesses.
• Cert-signing also means added code which means added complexity and possibly more exposure to other attacks.
• Ultimately the question: is this issue worth fixing in product ABC? Is this huge enough that we stop corporate updates until a fixed is proven, audited, and required by regulations? (Ok, I added that last part myself…)

This is a classic example of the belief that every vulnerability must be fixed, no matter the cost vs doing what you can with the resources and costs/risks available to you (which can be very subjective in measure). This sort of argument is pretty much religious. In fact, I’ve called it such in the past with posts about security religions. There are usually no universally correct answers, and there is usually pretty detrimental and venomous discussion once you start down these threads.

But it illustrates the challenges we face even amongst our own in the security circles. It gets worse when you have one person on each side of this discussion whispering into opposite ears of the non-technical business-owner who makes the ultimate decisions. (Although, cost-savers probably always have an inside track in that argument…and ‘doin nothing’ is the easier example to explain…)

Full disclosure: I have sympathies on both sides of that discussion.

I’ve already pined way too long about Medal of Honor in a previous post, and while I have no intention to make gaming a major part of this blog, I do have other comments, for closure. Again, this is the xbox version I’m playing. And, again, I still feel the multiplayer game is broken, unfinished, and unplaytested. And combinations of issues such as poor death text, poor player name displays, horrible maps, and no indication of who is talking on voice make this game pretty much impossible to truly play as a team unless you’re all in a party/clan and used to each other. If you tend to play solo or with just a couple buds like I do, the game is broken and useless.

Cons Part 2

• It bears repeating: multiplayer is not playtested and unfinished. The maps are broken. The menu system is nearly useless. The gametypes are not finished.
• I like to play Hardcore game modes. Hardcore modes tend to lower player health, remove helpful HUD pieces, and enable friendly fire. This often slows down the game a bit as players need to be a bit more careful. In MOH, not at all. The games are just as frenetic as normal teams.
• There’s only one Hardcore mode, and it rotates game types between team deathmatch, objective, sabotage, and scenario objective game types. While this is cool to experience different things, unfortunately it means all the players who just want to play team deathmatch fuck up the rest of the dynamic of the other game types. You really need to only have players playing sabotage/objective types who want to and know how to play them. It’s ok to randomize it a little bit, perhaps, but the rotation seems to go way too often to non-team deathmatch modes. Mixing in a different gametype every 10-50 matches wouldn’t be a bad thing…
• Hardcore sabotage gametypes are broken and useless. Really, what should happen is a team plays as the defenders for a round and then the other team defends, and the winner is whomever completes the objectives quicker. This game has no continuity between sessions, so you can flat out lose even if you get one objective, no matter if you owned the other team the previous game and the next game. Then again, whether you win or lose never matters, since you get no bonus points for a win and there is no tallied record of how you do.
• Hardcore mode utterly breaks offensive scorechain rewards. The offensive rewards are things like mortar strikes or rocket strikes (like artillery or bombs in COD:MW2). You set them at a target by looking through a device and marking the target. In normal modes, this device (like a pair of binoculars) has a crosshair in the middle. For some absolutely unknown reason, hardcore mode removes this crosshair. This means you’re firing blind and have no idea where you’re really hitting. In fact, I’ve killed myself this way more than enemies! This makes me choose defensive rewards almost every time. Stupid.
• I’ve had a few games in team deathmatch finish where my team had more kills and more scorechains, but a lower score such that we lost. If you’re going to score a match based on some tally of points, you need to explain the points. My only guess is the other team had longer scorechains or more headshots.
• Playing hardcore mode yields less points per game. This is backwards from every COD offering. You can do alright in points if you do the sector controlling or objectives, but obviously there are only so many of those that you can do per match. It would be nice if you also got points for winning a match.
• Teamkills should kill the team-killer. COD:MW2 gets this perfectly, if you ask me. Score penalty is nice, but what happens when you’re maxed?
• Combat assault, the game mode where a team defends a series of story-like objectives that the other team has to assault, control, or destroy, is kinda fun, but needs work. Instead of a timer, the defenders have only x number of respawns allowed for their team (200?). This means the more players the attackers kill, the more they cause this soft-timer to expire. This means the game should be played by attackers running up to objectives and defending them, then running to the next, and not killing defenders on the way unless they have to. Unfortunately, too many players play this as team deathmatch. As such, I’ve only seen one full completion in this mode. I’d like to have played this with a hard-timer to see how that goes (like 30 minutes). Also, once you get pinned down as attackers at the start, you can pretty much just be screwed. I also see no reason the attacker team should have a respawn timer. Defenders, yes. But attackers? I’d be curious how the dynamic changes without that timer for attackers.
• I and a buddy have had times where we’ve been able to see glowing outlines of other players *through* walls and boxes, especially before they’ve stepped out from behind them. I think this is a reflection of buggy netcode and whatever graphics code is used to subtly outline enemy players to differentiate them from background textures. Really cheap and silly and it’s bad that this bleeds through sometimes. This only happened in about 1 in 100 matches we played.

Pros Part 2

• I usually like playing a sniper, but often find them unfun in multiplayer games because you can’t really hide very long or get decent sightlines. In MOH, I actually find sniping rather fun. The shooting mechanism is probably the best I’ve felt in gaming (a pro for the engine moreso than anything to do with multiplayer), despite the buggy netcode. It helps that many maps have a sniper-friendly open feel to them (of course the flip side to this is how the maps break safe-spawning and game flow).
• There are painfully few maps in multiplayer, but at least in other game modes (maybe just hardcore?) the maps *seem* different because they have different lighting. There are just a few flow changes in them as well (very subtle) and maybe the backgrounds outside the map boundaries change, but overall it’s just enough to make the maps initially disconcerting and seemingly different. It’s amazing how much in game I actually make use of lighting as much as the terrain to get my bearings… It’s a pleasant surprise, even if I still believe the maps are fatally flawed.
• Combat assault, the game type that forces one team to defense while the other team pursues progressively-placed objectives is kinda fun, but untweaked. Nonetheless, it is a good attempt at the concept and I actually like how those particular maps flow.

I’ll probably never get around to this, but for my future reference, this article details 10 portable apps/types of apps that systems admins should have.

(I find it curious that the link says windows admins, the article title says network admins, and the article says systems admins…)

The PCI Council has released PCI DSS v2.0 [pdf] along with a doc of the changes [pdf]. A quick blog-post review is available from Branden Williams.

Want to grab a web page via PowerShell? Well, I do, and I found a Get-Web function on a MSDN blog post. For me, I tend to manage many web servers and sites using PowerShell scripting, and it might be useful to incorporate some Gets as part of an error checking routine. Or, as in my quick case today, an ugly one-time page monitoring script to look for delivery issues in the wee hours of a morning.

Note: I spent all of 3 minutes searching for this function, so your mileage may vary… The key part to check if you want to roll your own is the “New-Object Net.Webclient” object.

I’ll repost below just in case the source ever disappears from the web, but I suggest copying it from the link above rather than here, due to any formatting issues.

function Get-Web($url,
[switch]$self,
$credential,
$toFile,
[switch]$bytes)
{
#.Synopsis
# Downloads a file from the web
#.Description
# Uses System.Net.Webclient (not the browser) to download data
# from the web.
#.Parameter self
# Uses the default credentials when downloading that page (for downloading intranet pages)
#.Parameter credential
# The credentials to use to download the web data
#.Parameter url
# The page to download (e.g. www.msn.com)
#.Parameter toFile
# The file to save the web data to
#.Parameter bytes
# Download the data as bytes
#.Example
# # Downloads www.live.com and outputs it as a string
# Get-Web http://www.live.com/
#.Example
# # Downloads www.live.com and saves it to a file
# Get-Web http://wwww.msn.com/ -toFile www.msn.com.html
$webclient = New-Object Net.Webclient
if ($credential) {
$webClient.Credential = $credential
}
if ($self) {
$webClient.UseDefaultCredentials = $true
}
if ($toFile) {
if (-not “$toFile”.Contains(“:”)) {
$toFile = Join-Path $pwd $toFile
}
$webClient.DownloadFile($url, $toFile)
} else {
if ($bytes) {
$webClient.DownloadData($url)
} else {
$webClient.DownloadString($url)
}
}
}

Norman is currently warning about a new Firefox 0day discovered on the Nobel Peace Prize site. I don’t have much more information than that, mostly because all the “here’s the exploit details” links just talk about the delivered payload and not about this nifty Firefox 0day.

They “recommend all Internet users be cautious when surfing the net.” Really? So browsing the Nobel Peace Prize site on Tuesday would be ok if done…cautiously? Maybe click slower? Meh…this sort of advice does no one any good. Unfortunately, without knowing about this 0day, there’s not much to say other than don’t run scripts and, for home-bound geeks, watch your outbound traffic for strange things (like connections to Taiwan). For enterprise geeks, maybe inspect DNS requests for the flagged destinations and/or poke your IDS/IPS sigs. Hell, just blackhole or egress-block those destinations. Still, these are containment/detection tips…again none of which helps prevent the Firefox 0day.

We often get our panties into bunches about security issues and cyberstupidity, but Mike Murray has a career advice post that needs repeating (and I’m going to steal his punchline).

Here’s my advice: do one thing today that makes you healthier. It might be just stepping away from the desk for a while and taking a few deep breaths to relax. Maybe it’s a salad instead of the Double Whopper with Cheese. Maybe it’s taking a walk at lunch. Do something.

The older you get, the more this finally hits home not just from lessons you learn on your own but lessons you learn from others people’s mistakes and tragedies. Take care of your health, both mental and physical. Get checked out regularly, take preventive measures before things get out of control, investigate and possibly seek expert assistance when things feel off. Don’t put off to tomorrow something you can go today for your betterment. And enjoy yourself when you can. (As too many things are wont to do appear when you’re a security geek, this advice is eerily similar to advice for a good security program.)

I’m posting this because I need this advice as much as anyone else.

During some ill-advised ebay browsing, I came across this auction for the multi-display desk used in the movie Swordfish. Pretty sweet, if you ask me! Local delivery only and an unknown reserve, but I’d totally take a stab at it if I were in Cali.

Want some information about pickpockets, bag-snatching, travel, and personal space security? Check out this site for a once-over fix and some great tips.

Stumbled over there via a posting on the infosecnews mailing list.

So far I’ve not been terribly impressed by the new Medal of Honor game (xbox version), but it is a nice distraction between COD titles, especially since I don’t take to Halo much.

Single Player: I’m still working through this, but so far there is nothing new here and just perpetuates how I don’t enjoy modern FPS campaigns very much. The whole “on rails” thing is just annoying. Most of the time I don’t feel like I have to actually *do* anything except let my teammates do it, and then run around trying to figure out where they went and get caught up because I was exploring. I miss the games where it’s me against 1000 enemies…although I imagine that would create some AI challenges when you are the only target 12 enemies are shooting at… I imagine I won’t like the highest difficulty level, Tier 1, because it is time-based.

On a brighter note, I really like the low-key yet driving music so far, I love the feel of the early game sniper rifle, and I’m glad the controls are essentially identically to COD. Checkpoints are often as well. It is otherwise a solid single player experience so far. The individual moments aren’t as good as MW2 individual moments, but the sum is likely better. (COD:MW2 was a strange game built as individual moments strung together by a horrible plot, making the sum of its parts actually LESS than the parts alone. Go figure, but that’s what you get by making a story in backwards fashion and making the climax a boat chase and quick-time-event.)

Multiplayer: In short, multiplayer Medal of Honor is just plain unpolished. It really feels like the bare minimum has been done with very little real play testing. I suspect this needed to be rushed out before COD hit and after Halo. The litany of little complains mounts slowly. I’ve tried out other modes, but I play mostly Team Assault (essentially team deathmatch). I’ll constantly compare this to the current bar: Call of Duty.

• no team balancing! Yes, really, if your team is getting owned, you’ll keep getting owned until players come and go. This is the COD equivalent of being forced, at times, to play against a whole clan/party. The sorts of games I often avoid if I’m not the one in a large party. Also, if you and a buddy join a game and are placed on different teams despite being in a party/playgroup, you have to back out, reinvite, and rejoin a game to get on the same team. The game doesn’t recover from this. (This happened only twice for me, but that’s two times the game should have recovered on the next map.)
• I shit you not, there is no way to tell who is talking. There’s no indicationo on the HUD and no indication in the player score tab or minimap or big map. None.
• no audio and really no visual indication that a match is ready to be joined. And it never starts on its own, you *have* to press A. So if you’ve turned to a buddy to jaw a bit or grabbed a drink in between matches, you never know without closely watching the screen that the game is under way. COD had an audio tick, a timer, and forcefully started the match for you.
• As in COD:MW2, shotguns still feel way over-powered, even at a distance. At least you can’t run around like an idiot getting cheap kills by double-fisting them…
• I dislike multiplayer games where the more you play, then the better you are. MOH doesn’t make any attempt to fix this. The more you play, the more you unlock. I have high hopes that COD:BO will get this right with the purchasing mechanic.
• I also dislike abilities that allow better players to be even better by scoring kills in a row. An example is COD:MW2. If you’re good enough to get 5 kills in a row, the game will help you get another 20 cheesy kills (predator, harrier, chopper=nuke). If you’re already slightly better, the game makes the gulf even bigger. At least in MOH the rewards are based on points and not kills and it is harder to string them together without some additional kills of your own in the middle. So this is better than COD, at least.
• between-game screens suck! Not only do they rotate in a forced fashion (game scores, your stats, and then map description text which is useless), but you get very little time to absorb much. COD gives you about 30 seconds to digest information and jaw with players. MOH gives about 5 seconds.
• between-game screens suck 2! There’s not much information here, but at least what is given is relevant. I just wish it didn’t need three screens to do it and wish there were better stats…like suicides, team kills, maybe some ratios on who I killed or who killed me more, etc. Oh, and you’ll never know how many assists you got. To MOHs credit, COD:MW2 also failed in this regard. COD:WaW was far (far!) superior.
• between-game screens suck 3! You can vote to skip a map, but you’ll never see any vote tally nor ever know the vote passed or failed. WTF?
• death text sucks. “Player1 [M124AM] Player2.” At least in COD you get an icon of the weapon used, which is a great and quick way to see how someone died. I don’t know what M124AM is and it will take a very long time to figure that out…
• death text sucks 2. No headshots are represented. I do like to know when I was headshot which would explain why I die so quick sometimes.
• death text sucks 3. I can’t describe how many double-kills I’ve had on players in game, but I would never know it if I hadn’t been playing right next to a buddy and could glance at his screen’s death text. It is very useful to know when a double-kill occurs because you know that your enemy is no longer in that spot.
• Hardcore doesn’t feel hardcore, other than the lack of a HUD. I should be expecting more one-shot kills.
• I really hate not being able to see teammate names when they’re 30 feet away from me or more. MOH displays them only if you’re close, but if you’re far away you just see the friendly marker. If I see a teammate ahead of me duck into a room and he dies, I want to be able to know who ran in and how he died. This plus the death text makes this impossible. Yes, I really do get into the meta-game of how the ebb and flow feel…if I know John went left, Bob went right, and Jim ran up the middle, and it took 15 seconds for John to die but only 2 for Jim to die, I have just gained a *lot* of intel about where the enemy is and where the flow is. MOH doesn’t give me any chance to play on this level.
• netcode is suspect. Far more than other games, I feel movement is glitchy when I’m next to a teammate. I also have plenty of moments where center-mass body shots gain me nothing but a shot I obviously missed on nets me a kill. Mysterious.
• netcode is suspect 2: There is no indication of your latency in game. None.
• Respawning is buggy. COD has done a great job making sure players spawn out of site of other players, but MOH has a lot to learn. I’m not sure I’ve actually ever seen someone spawn in COD, but in MOH I regularly actually see them spawn. There are moments where you can get set up and snipe guys spawning into the game. Not cool. Even less cool when you target artillery on a spawn. In COD, it happens but is rare that I die within seconds of a spawn. In MOH, it happens. A lot. More spawn locations and better ability to spawn out of sight is needed.
• Map flow is suspect. Somewhat similar to the spawn item above, there are places on some maps in Team Assault where you can pin an enemy into and it absolutely sucks to bust out. This smacks of poor playtesting or poor multiplayer map design. COD also has come a long way in this regard these days.
• In Team Assault, I really wish the maps had been larger. I really think game flow would be far better with larger maps where it is not just run 5 steps and start shooting. With some of these maps there is no chance to get a feel of the ebb and flow of the team dynamics. In maps that are big enough, they often suffer from a team being spawned in a poor corner and getting stuck in there.
• Defensive perks are lost quickly. Because of some of the issues with maps and game flow, defensive perks are very quickly lost because you can die. A lot. And quickly.
• Deaths are kinda slow (netcode?). It takes effort to figure out that I killed someone sometimes. They’ll take the hit, I’ll line up again, and then they keel over and I get the credit. Huh? Did he not know he was dead right away? Also in the same vein, I would love better indication on the HUD that I killed someone and who it was. COD:MW2 has this beautifully displayed along with their title/emblem for easy ID.
• No titles, emblems, or anything that really helps you distinguish yourself. Sure, you can unlock a new skin at higher levels, but there’s not much else you can do.
• When you step back for a moment, you realize there aren’t very many guns in the game.
• Your team in a deathmatch can lose the game even if you had more net kills. This is because the score is based on points, not kills. This means players who can score chains of kills and drop artillery or call in defensive perks get even more powerful/useful because they can influence the score more than someone with the same number of kills but not able to string them all together for rewards. Honestly, this assumption goes against 20 years of FPS game scoring, and it’s just weird.
• Not many maps. I’m likely spoiled by all the map packs in COD games, but so far MOH has very few maps to play.
• Because of issues with map flow and quickness, the special sniper ability to lay down an IED and detonate it is useless other than if that’s all you want to do. MOH really should have allowed trip-wired claymores instead of something you have to actually trigger. That way you can benefit from it, but yet still dig in and shoot your gun.
• Melee kills are underwhelming. COW:WaW had a *great* feel to them, and COD:MW2 was ok as well. Hatchet and knife kills in MOH are buggy, annoying, and have zero visceral feedback to them.

That’s a huge fucking list of complaints, but not everything is bad!

• No COD voice chatter. No, seriously, MOH games have been largely quiet that I’ve played in. No kids or rednecks or gangsters or trailer trash or toddlers droning on about the most idiotic things like you hear, constantly, in COD. Over the weekend, I think I heard maybe 6 other players actually talk. That’s out of many hundreds I played with.
• Physically, every player is on the same footing in game. There are no perks to run faster or have camoflage or quiet footsteps. The unlocks all pertain to weapons and gear, but not physical perks like COD. I like that.
• Unlimited running ability. No reason for soldiers to be winded after 10 steps!
• You can reload while running. We’ve obviously gotten more coordinated at Tier 1.
• You can change your weapons/class/loadout mid-game while dead.
• Minimap icons of enemies show which direction they’re facing.
• Unlike COD games, missile launchers, bazookas, and grenade launchers don’t feel as cheap and powerful in MOH. Despite the fact that 2 of the 3 classes almost always have them available on their person.

And one undecided item: In hardcore team assault modes, you can kill your teammates, but it often takes *lots* of shots to do so. Part of playing hardcore is to be much more careful in what you do, and that includes friendly fire. Now, this does eliminate morons who just go and kill everyone, but COD:MW2 has already demonstrated how to properly handle them quite nicely. And I will fully admit that I do sometimes pick out particularly whiney people who seem like the kinds of people who will blow up at me if I kill them, to actually kill them when they’re on my team. I’m rarely wrong, and am far too entertained by such demonstrations by hot-tempered persons.

In the end, this game is making for a nice break between COD titles, but without a lot of polish and hot-patching, it leaves a large gap that needs work before it feels like a fun way to spend my time.

Andy has another post I wanted to highlight, which itself echoes a post from Gunnar Peterson. They both cite a survey that shows:
top security purchases:

• firewalls
• antivirus
• authentication
• anti-malware

top security concerns:

• mobile computing
• social networks
• cloud computing

I’m not surprised by this mismatch. In fact, I’d even go so far as to say this isn’t something that will ever change, nor should we get all steamed up about changing it. In 10 years, we’ll still have bleeding edge, complex items in the biggest concerns list, and the things we’re finally getting around to understanding will be the major parts of our spending.

Now, Gunnar and Andy both have excellent points, specifically about IT teams seeing IT problems and solving them with IT solutions; in fact, I’m positive their points hold merit.

But I think there are other ideas that trump those (I did comment on their blogs about it, and later decided I should just blog here). Those top 3 concerns are bleedingly new such that:

• we fear new things because we don’t understand them, or don’t understand them because they’re new.
• they’re too new for us to have solid approaches to handling them.
• they’re too new for us to know if we should be worried or not! we tend to default to paranoid/worried, which is good!
• too new to have obvious budget items assigned to them. Can I buy a box or some software that provide “cloud security” or “social media security?”
• they’re so new the business doesn’t even know how to use them or what they want out of them. Let alone how we can secure them while still meeting or at least not stomping all over business needs. If the business doesn’t even know how to use them yet, I’m not sure security is in any position to guide that usage securely.

It also should be mentioned that these new things are being largely pushed via consumerland and into the business, with IT as a sort of, “Oh yeah,” thought. Firewalls, AV, AM, Auth are all IT responses to typically IT issues. Of course there is a difference there. They’re also very subjective issues, as opposed to very objective items like firewalls, known malicious bits, behaviors, signatures, ports. Business presents very complex issues that are often involving people (which we can’t patch) and that often don’t fit nicely into blanket rules. Even if we turned away from technical solutions and devoted our time into solving these problems, they are still not going to be neatly solved. Likewise, when push comes to shove, can you have and meet goals with firewalls? Can you show improvement? All of this flows from the rather subjective non-technical aspect of those issues. Sort of the difference between a child’s report card and the feedback you get from a parent-teacher conference. If you have a child, which one would you be most inclined to disagree with or not necessarily believe? (The answer is the subjective one!)

It could be said this is the natural progression of security and technology: from shoring up the technical controls to moving up the stack towards behavior and people. Sure, these 3 top concerns can be said to punch through firewalls and network segments, but that’s the nature of those things (social media “punching” through a firewall is far different than me punching through an SSH connection to bridge my home network; social media is akin to the *way* I use my SSH connection after the hold is already punched because it is needed; i.e. social media is the way port 80 is used.)

Basically, all indications point to not being surprised by this dichotomy. And I don’t think this is some further indication that IT/security is doing it wrong, or isn’t aligned properly with business, or has a technical dark-server-room background. I’m not saying we’re doing things right or we’re properly aligned, but the above isn’t a good argument to support the theory of those deficiencies.

Now for a really big jump. I’d liken the current increase in mobile computing to be as big as the introduction of computers into the business and later the PC/internet into business. Now, I wasn’t around when the former happened, nor was I in the industry when the personal computer revolution swept into business, but I would bet that is the closest comparison so far. I may even say the same for social media. These are damned new and they’re big changes beyond just bringing in Macs or new software or some new business process.

Via the infosecnews mailing list, I belatedly saw this excellent story about DefCon from a National Geographic reporter.

This is an example of what happens every year at the DefCon hacker conference in Las Vegas. Passionate hackers present their knowledge and capabilities, often times skirting the very fringes of legality. However, if you think that this is a convention for geek criminals, then you’ve been watching too much NBC.

I really wish the article had been Wired-feature-like in length (i.e. 5 more pages), but still the author gets his point across and is worth the quick read.

The attendees at DefCon are pioneers on a myriad of levels. Socially they challenge convention on every strata. Fashion-wise there are no boundaries and norms, just personal styles that clothe intelligent minds. In the realm of the internet, communications and other security genres, there is no equal.